<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - lld crashing due to corrupt DefinedImportThunk"

   href="https://bugs.llvm.org/show_bug.cgi?id=38248">38248</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>lld crashing due to corrupt DefinedImportThunk

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>lld

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Windows NT

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>COFF

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>eric@andante.org

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>I don't really have a good testcase, but I can describe the general sequence of

events.

I am linking a Windows application that links against dlls.  It creates

numerous DefinedImportThunk symbols, and this ultimately goes according to

plan.  But later on in the linking stage, includes an object file that also

defines one of the imported symbols, and it tries to fix this in this bit of

code:

Symbol *SymbolTable::addRegular(InputFile *F, StringRef N,

                                const coff_symbol_generic *Sym,

                                SectionChunk *C) {

  Symbol *S;

  bool WasInserted;

  std::tie(S, WasInserted) = insert(N);

  if (!isa<BitcodeFile>(F))

    S->IsUsedInRegularObj = true;

  if (WasInserted || !isa<DefinedRegular>(S)) {

    replaceSymbol<DefinedRegular>(S, F, N, /*IsCOMDAT*/ false,   <--- Here.

                                  /*IsExternal*/ true, Sym, C);

  } else

    reportDuplicate(S, F);

  return S;

}

This effectively tweaks the DefinedImportThunk symbol and changes it to a

DefinedRegular symbol.

The crash comes up at a later time in Writer::createImportTables(), where it

does this:

  for (ImportFile *File : ImportFile::Instances) {

    if (!File->Live)

      continue;

    if (DefinedImportThunk *Thunk = File->ThunkSym)

      Text->addChunk(Thunk->getChunk());                        <--- Here

    if (Config->DelayLoads.count(StringRef(File->DLLName).lower())) {

      if (!File->ThunkSym)

        fatal("cannot delay-load " + toString(File) +

              " due to import of data: " + toString(*File->ImpSym));

      DelayIdata.add(File->ImpSym);

    } else {

      Idata.add(File->ImpSym);

    }

  }

In particular, File->ThunkSym is no longer a DefinedImportThunk symbol, and

Thunk->getChunk() points to something completely unrelated.  This is what

ultimately causes the linker to crash.

In theory, one can add a check in Writer::createImportTables() to sanity check

ThunkSym.  While it prevents the crash, I have my doubts that this is a correct

fix.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>